Anthropic has created an artificial intelligence model that can autonomously find and exploit zero-day software vulnerabilities at a level that the company says surpasses decades of human security research and all existing automated tools.
A closer look at its prowess suggests potential threats to DeFi crypto infrastructure. Let’s start by discussing its capacity.
Break long-hidden vulnerabilities
Like finding a needle in a million haystacks, the Claude Mythos Preview model has a knack for uncovering software bugs that have long eluded human experts.
He found a 27-year-old bug in OpenBSD, an operating system built specifically to be difficult to hack, for less than $50 worth of computing.
It found a 16-year-old flaw in FFmpeg, the video software that powers most of the Internet’s streaming infrastructure, which had been scanned five million times by automated security tools without anyone detecting it.
He even wrote an exploit for the browser that chained together four separate vulnerabilities to break two layers of security. And he took a publicly known Linux vulnerability and turned it into a full attack in less than a day for less than $2,000, a job that would normally take a qualified human researcher weeks.
This has set alarm bells ringing in the tech industry, and rightly so, as Mythos already exists, is operational, and is discovering vulnerabilities in the code that protects users’ funds that no human or tool has found in 27 years. This is in stark contrast to recent fears about the risks of quantum computing for Bitcoin, which remain largely theoretical.
Why should cryptocurrency developers care?
The most important findings for cryptocurrencies are found on Anthropic’s technical blog, which says that Mythos found security flaws in what the company calls “the world’s most popular cryptography libraries,” including TLS, AES-GCM, and SSH. These are critical to internet security, securing HTTPS connections, encrypting data, and allowing developers to remotely access servers that support DeFi and exchange infrastructure.
Flaws or errors in these could allow someone to forge certificates or decrypt private communications.
The risk is particularly high for DeFi protocols, which are open source software. Anyone can publicly read your code, including a model like Mythos that can autonomously catalog every weakness in a codebase at machine speed for near-zero marginal cost.
And while the roughly $200 billion locked in smart contracts on Ethereum, Solana, and other chains have been audited by humans and automated scanners, Anthropic claims Mythos operates beyond both.
The company noted that “mitigations whose security value comes primarily from friction rather than hard barriers can become considerably weaker against model-assisted adversaries.”
Multi-signature governance, which requires multiple people to approve a blockchain transaction, time locks, which delay a transaction for a set period, and audit reports as proof of security are all friction-based defenses. In simple terms, it means that these measures slow things down rather than blocking an attack at the code level.
So far, it hasn’t shaken market valuations. The CoinDesk DeFi Select Index has gained 7% in 24 hours, outperforming bitcoin and ether, as the temporary ceasefire between the United States and Iran has reinforced risk sentiment. But looking ahead, traders may want to keep an eye not only on macroeconomic factors, but also on developments around Mythos, given its potential implications for blockchain software and security.
All that said, the Mythos model will not be released to the general public just yet, but will instead be shared with a select group of 40 software giants, such as Google, Apple and Microsoft, under ‘Project Glasswing’.
